Posts Tagged ‘
passwords ’

From electronic pills to digital tattoos, these eight innovations aim to secure systems and identities without us having to remember a password ever again

8 cutting-edge technologies aimed at eliminating passwords
In the beginning was the password, and we lived with it as best we could. Now, the rise of cyber crime and the proliferation of systems and services requiring authentication have us coming up with yet another not-so-easy-to-remember phrase on a near daily basis. And is any of it making those systems and services truly secure?

One day, passwords will be a thing of the past, and a slew of technologies are being posited as possibilities for a post-password world. Some are upon us, some are on the threshold of usefulness, and some are likely little more than a wild idea, but within each of them is some hint of how we’ve barely scratched the surface of what’s possible with security and identity technology.

The smartphone
The idea: Use your smartphone to log into websites and supply credentials via NFC or SMS.

The good: It should be as easy as it sounds. No interaction from the user is needed, except any PIN they might use to secure the phone itself.

The bad: Getting websites to play along is the hard part, since password-based logins have to be scrapped entirely for the system to be as secure as it can be. Existing credentialing systems (e.g., Facebook or Google login) could be used as a bridge: Log in with one of those services on your phone, then use the service itself to log into the site.

The smartphone, continued
The idea: Use your smartphone, in conjunction with third-party software, to log into websites or even your PC.

Examples: Ping Identity. When a user wants to log in somewhere, a one-time token is sent to their smartphone; all they need to do is tap or swipe the token to authenticate.

The good: Insanely simple in practice, and it can be combined with other smartphone-centric methods (a PIN, for instance) for added security.

The bad: Having enterprises adopt such schemes may be tough if they’re offered only as third-party products. Apple could offer such a service on iPhones if it cared enough about enterprise use; Microsoft might if its smartphone offerings had any traction. Any other takers?

Biometrics
The idea: Use a fingerprint or an iris scan — or even a scan of the vein patterns in your hand — to authenticate.

Examples: They’re all but legion. Fingerprint readers are ubiquitous on business-class notebooks, and while iris scanners are less common, they’re enjoying broader deployment than they used to.

The bad: Despite all its advantages, fingerprint reading hasn’t done much to displace the use of passwords in places apart from where it’s mandated. Iris scanners aren’t foolproof, either. And privacy worries abound, something not likely to be abated once fingerprint readers become ubiquitous on phones.

The biometric smartphone
The idea: Use your smartphone, in conjunction with built-in biometric sensors, to perform authentication.

Examples: The Samsung Galaxy S5 and HTC One Max (pictured) both sport fingerprint sensors, as do models of the iPhone from the 5S onwards.

The good: Multiple boons in one: smartphones and fingerprint readers are both ubiquitous and easy to leverage, and they require no end user training to be useful, save for registering one’s fingerprint.

The bad: It’s not as hard as it might seem to hack a fingerprint scanner (although it isn’t trivial). Worst of all, once a fingerprint is stolen, it’s, um, pretty hard to change it.

The digital tattoo
The idea: A flexible electronic device worn directly on the skin, like a fake tattoo, and used to perform authentication via NFC.

Examples: Motorola has released such a thing for the Moto X (pictured), at a cost of $10 for a pack of 10 tattoo stickers, with each sticker lasting around five days.

The good: In theory, it sounds great. Nothing to type, nothing to touch, (almost) nothing to carry around. The person is the password.

The bad: So far it’s a relatively costly technology ($1 a week), and it’s a toss-up as to whether people will trade typing passwords for slapping a wafer of plastic somewhere on their bodies. I don’t know about you, but even a Band-Aid starts bothering me after a few hours.

The password pill
The idea: This authentication technology involves ingesting something into your body — an electronic “pill” that can send a signal of a few bits through the skin.

Examples: Motorola demonstrated such a pill last year, one produced by Proteus Digital Health normally used for gathering biometrics for patient care (pictured).

The good: A digital pill makes the authentication process completely passive, save for any additional manual authentication (e.g., a PIN) that might be used.

The bad: Who is comfortable (yet) with gulping down a piece of digital technology? Like the digital tattoo, this doesn’t sound like something one would want to use regularly, but rather more as a day pass or temporary form of ID.

Voice printing
The idea: Use voice recognition to authenticate, by speaking aloud a passphrase or a text generated by the system with which you’re trying to authenticate.

Examples: Porticus, a startup profiled back in 2007, has an implementation of this technology (“VoiceKeyID”), available for multiple mobile and embedded platforms.

The good: The phrase used to identify you isn’t the important part; it’s the voice itself. Plus, it can be easily changed; speaking is often faster than typing or performing some other recognition; and it’s a solution that even works in a hands-free environment. Plus, microphones are now standard-issue hardware.

The bad: As with any technology that exists in a proprietary, third-party implementation, the hard part is getting people to pick up on it.

Examples: A prototype version of the system, using a Bluetooth headset that contained an EEG sensor, has been demonstrated by folks at the University of California Berkeley School of Information. The “pass-thoughts” they used consisted of thinking about some easily memorized behavior, e.g., moving a finger up and down.

The good: Consumer-grade EEG hardware is cheap, and the tests conducted by the School of Information showed it was possible to detect a thought-out password with a high degree of accuracy.

The bad: Donning a headset to log in seems cumbersome — that is, assuming you’re not spooked by the idea of a computer reading your thoughts.

Passwords seem like a recent thing, but they’ve been in use for a long time. Here are a dozen of the more memorable onesPasswords – we all have a million of them in our lives. Like them or not, you can’t escape having to use them for just about everything these days, from unlocking your mobile phone to accessing your bank account online to streaming a movie on Netflix. While the prevalence of passwords has greatly increased thanks to computers and the Internet, they’ve actually been used, in one form or another, to protect things for hundreds, and even thousands, of years. Inspired by a recent Quora thread, here are a dozen of the most famous passwords used through (mostly recent) history, in both the real and fictional worlds.

This story originally appeared on ITworld.com.

00000000
For many years during the Cold War, Minuteman nuclear missiles housed in silos in the United States required a trivial eight digit code to be launched: 00000000. U.S. nuclear missiles were required to have launch codes by presidential order in 1962, to safeguard against rogue missile launches. While many missiles weren’t outfitted with this additional level of security for years, the codes were installed on U.S.-based Minuteman missiles under the direction of Secretary of Defense Robert McNamara. Once he left office, Strategic Air Defense commanders, who resented McNamara and were concerned about being able to launch the missiles quickly, set the launch codes to all zeroes. What could go possibly go wrong?

Open SesameThe grandaddy of all passwords is Open Sesame, which was the secret phrase that was used in the famous tale, Ali Baba and the 40 Thieves, to open a cave containing treasure belonging to a group of thieves. In the story, part of The Thousand and One Nights (also known as Arabian Nights), a collection of Arabic stories collected over the centuries, Ali Baba, a poor woodcutter, overhears the secret phrase and (tl;dr) eventually gets the treasure. The phrase, of course, is well known and has appeared all over popular culture, including Popeye, Bugs Bunny and SpongeBob.

Chuck NorrisIn 2010, an anonymous Facebook engineer claimed in an an interview that, at one time, employees could log into any Facebook profile using a master password which was a variant on Chuck Norris (replacing some of the letters with symbols and numbers). She claimed she had personally used it and knew of two other employees who had used it to log in and manipulate other users’ data and were subsequently fired. While she said the password no longer worked, it didn’t really matter because it was replaced by a tool which let Facebook employees log in as another user with the click of a button – provided they had a good reason to do so.

SwordfishIn the 1932 Marx Brothers film Horse Feathers, Groucho Marx’s character, Professor Wagstaff, gains access to a speakeasy using the password Swordfish. Since then, it’s become one of the most well known (and spoofed) passwords and has been referenced over the years throughout popular culture. It’s popped up in (among many other places) Scooby Doo, Mad Men, FETCH! with Ruff Ruffman, Harry Potter, and Star Trek. There was even a hacker movie named after it, as well as a Commodore 64 video game.

Buddy
In June 2000, President Bill Clinton signed the Electronic Signatures in Global and National Commerce (E-SIGN) Act, which made electronic signatures and contracts legal in interstate and foreign commerce. Appropriately, Clinton signed the bill electronically, using a smart card that was encrypted with a private key named after his dog, Buddy. Aside from being easy to guess, the password was also rendered even less secure when Clinton shared it with those in attendance at the signing in Philadelphia. Just to be safe, he also signed the bill the old fashioned way – with a pen.

Joshua
In the classic 1983 geek film WarGames, Matthew Broderick’s character, teenage computer whiz David Lightman, hacks into what he thinks is a computer video game company to play some games. Lightman correctly guessed that the backdoor password to the system was Joshua, the name of the deceased son of the games’ programmer. It turns out that what he really hacked into was the North American Aerospace Defense Command’s (AKA NORAD) War Operation Plan Response (WOPR) computer and the game of Global Thermonuclear War that he starts almost results in World War III. Not only was the story fictional, of course, but so was WOPR, which was really made of plywood and powered for the movie by an Apple II.

TigerIf you ever worked with an Oracle database, chances are you’ve come across the famous Scott schema, accessed with the password Tiger. This is a demonstration schema consisting of a handful of tables (e.g., EMP, DEPT), meant to illustrate some of the basic concepts of Oracle functionality. The schema was created by Bruce Scott, Oracle employee number 4, and the password was named after his daughter’s cat, Tiger. The Scott schema was installed with Oracle by default through version 8; since version 9 it’s still available for manual installation, though a number of newer sample schemas are now included.

IAcceptTheRisk
In 1981, Xerox released the Star 8010 workstation, a revolutionary computer based on the earlier Alto prototype, that was meant to be used by businesses as part of an office document management system consisting of computers connected via Ethernet. The Star introduced many fundamental interface concepts that became popular, such as a graphical user interface, a bitmapped screen and clickable icons. To perform certain administrative functions on the Star (such as a system recovery), administrators had to use a code of 911 and the password IAcceptTheRisk. The password not only made the system more secure, but also served as an ad hoc Terms of Service.

Z1ON0101
In The Matrix Reloaded, the second movie in The Matrix trilogy, released in 2000, the character Trinity is seen hacking into the computer system of a power plant. Using a real network mapping tool called Nmap, and exploiting a real SSH vulnerability, she’s able to reset the root password for the system to Z1ON0101, and ultimately take control of it. The password is a variation of Zion, the name of the last human city left on Earth in the movie after the destructive war between humans and machines. The scene won acclaim from hackers for its accuracy – while the rest of the world liked it enough to generate $742 million in ticket sales.

1234512345 is a famous password for several reasons. First, it’s one of the most commonly chosen passwords. Second, one of the people choosing to use it was Syrian president Bashar al-Assad, who picked it as the password to his email account, which was revealed when Anonymous hacked into it in 2012. Finally, 12345 is also known to fans of the Mel Brooks classic comedy Spaceballs as being the password to the planet Druidia’s air shield – as well the code to unlock Mel Brooks’ character’s luggage.

SherIn the first episode of the second season of the BBC series Sherlock (A Scandal in Belgravia, 2012) the famous detective tried to crack the 4-character security code on a mobile phone containing compromising photos of a member of the royal family. He finally figured out the code when he realized that the woman whose phone it was was sweet on him; the code was Sher, which went along with the text on the lock screen to spell “I AM SHER LOCKED.” Obviously, it was – in hindsight, at least – elementary.

ParcIn 1972, Xerox engineers at the newly formed Palo Alto Research Center (PARC) built a computer called the Multiple Access Xerox Computer (MAXC), which was a clone of a DEC PDP-10 time-sharing mainframe (after DEC wouldn’t sell Xerox a PDP-10). The MAXC was connected to ARPANET, one of the ancestors of the modern Internet. Guests could log into the MAXC over ARPANET using a guest account and a password of parc (or maxc, as the passwords were periodically swapped), proving that while those Xerox engineers were really smart and forward-thinking, they weren’t particularly creative.